Data breach class action lawsuits involving two health care organizations have sparked new filings in federal court. There are currently 11 cases filed in federal courts in California and Washington against MCG Health, LLC (MCG). A separate hacking incident against Shields Health Care Group (Shields), a company that provides MRI, PET/CT and ambulatory surgical services in New England, has resulted in 7 filings in the U.S.D.C. for the District of Massachusetts.
MCG, a Seattle-based software company that provides patient care guidelines and software to healthcare plans and providers, reported in June that it had suffered a data breach on March 25, 2022 that impacted 793,283 individuals. The breach potentially exposed names, postal and email addresses, telephone numbers, gender, dates of birth, medical codes and Social Security numbers. To date, a number of groups have acknowledged that their data was exposed as a result of the breach, including:
- Newman Regional Medical Center (Emporia, KS)
- Avera Health (Sioux Falls, SD)
- CHI Health (Omaha, NE)
- Phelps Health (Rolla, MO)
- Indiana University Health (Indianapolis, IN)
- Henry County Medical Center (Paris, TN)
- Jefferson County Medical Center (Fairfield, IA)
- UNC Lenoir Health Care (Kinston, NC)
- Copley Hospital (Morrisville, VT)
- Catholic Health Initiatives (Englewood, CO)
- Mary’s Health Network (Reno, NV)
In response to the breach, MCG issued a notice stating:
“Upon learning of this issue, MCG took steps to understand its nature and scope. A leading forensic investigation firm was retained to assist in the investigation. Additionally, MCG is coordinating with law enforcement authorities. MCG has deployed additional monitoring tools and will continue to enhance the security of its systems.”
The company has also offered credit monitoring services to impacted individuals. Plaintiffs accuse MCG of negligence in failing to protect consumers’ personal information, in violation of the Washington State Consumer Protection Act. They also claim that the company failed to notify them in a timely manner of the breach. One complaint states that MCG waited three months to notify the plaintiff and allegations in another lawsuit state that MCG knew of the breach in December 2021.
In a similar data breach, Shields, a company that provides management and imaging services for healthcare facilities in New England, suffered an attack that put the personal information of approximately two million current and former patients at risk. Between March 7 and March 21 an unauthorized actor was able to access the names, Social Security numbers, dates of birth, home addresses, medical and treatment information and billing and insurance information of impacted individuals. The breach was reported to HHS’ Office for Civil Rights’ portal on May 27; however, one of the class action lawsuits filed in July claims that Shields was made aware of the breach on March 28 but failed to advise patients until June 7, exceeding the 60 day timeframe required by law for the company to notify victims of the attack. The company lists 56 facility partners on its website who have been affected. In its notification to patients, Shields stated:
“On March 28, 2022, Shields was alerted to suspicious activity that may have involved data compromise. Shields immediately launched an investigation into this issue and worked with subject matter specialists to determine the full nature and scope of the event.
This investigation determined that an unknown actor gained access to certain Shields systems from March 7, 2022 to March 21, 2022. Furthermore, the investigation revealed that certain data was acquired by the unknown actor within that time frame. Although Shields had identified and investigated a security alert on or around March 18, 2022, data theft was not confirmed at that time.”
The lawsuits allege that Shields’ failed to implement and maintain appropriate safeguards to protect patients from the breach and negligently handled the patients’ private information.
Read our related blogs:
Litigation Update: Logan Health Medical Center Data Breach Causes Class Action Filing